Using Drones for Research and Monitoring – Ethical, Safety and Accountability framework

By Mahima Taneja

Once the preserve of the military, unmanned aerial vehicles (UAVs) are now used in a wide range of industries, from aerial surveillance of crops to search and rescue operations to the delivery of medical supplies to remote or otherwise inaccessible regions. Development sector research organizations such as Outline India are exploring the use of drones in research studies, rural infrastructure mapping and monitoring of programs and interventions. For example, in a successful pilot study Outline India used drones to produce detailed aerial maps along with elevation profile of a village through a participatory GIS mapping exercise. The study helped us in obtaining accurate granular level information of community assets and infrastructure resources, as well as map and visualize topographic differences and its relation with demographic and caste-wise distribution. The study also helped the village representative in identifying the most pressing problems in the village – which in this case was lack of drainage, water stagnation and consequently water borne diseases – and troubleshoot it by devising a drainage plan to suit the elevation of the village (Outline India, FICCI, 2017).

Drones thus have a significant potential to contribute to evidence based policy making. However, using drones for civilian applications remains a gray zone within the Indian regulatory framework. There are risks involved in the operation of drone at the level of safety, privacy, confidentiality, data protection and accountability. For example, a drone crashed into a British Airways jet over Heathrow in April 2016 in what is believed to be the first case of its kind accident, while near misses have been reported earlier as well. Another risk posed by the civilian and commercial use of drones is invasion of people’s privacy through recording of their images and videos without their consent, and sharing of the recorded data with third parties, without consent. At present, India does not have a robust data protection policy or an established CCTV code of practice unlike, for example, the CCTV code of practicein UKunder the Data Protection Act 1998.Organizations such as Outline India are setting up its own internal processes, protocols and privacy guidelines in a bid to use this technology and the exciting possibilities that come with them responsibly and ethically. This article is an attempt to systematically engage with the existing regulatory framework and debates in this area.

Regulatory Framework for using UAVs

For all practical purposes for civilian use of drones, the DGCA Draft Guidelines are followed. It mandates seeking appropriate permissions from local authorities (police station, local administrator, or local representative, as applicable) if the UAV is being operated below 200ft AGL (above ground level)in uncontrolled airspace and clear of notified, restricted, temporary segregated and temporary reserved areas. This implies that drones flying around restricted or reserved areas including airports and National Capital Territory as well drones above 200 ft AGL need to register for a license and a Unique ID as well as seek permissions from DGCA. This remains unchanged in the New Draft rules for drones, released in November 2017, as well.

This has two implications. First, one only needs local level permissions to use drones in remote and rural areas which is a good sign. A majority of development sector work such as that by Outline India is across rural India, areas where Google maps are available in little or no detail, and where there is no internet and often no phone connectivity. Satellite images are not updated regularly as is the case with cities with a high number of smartphone and Google maps users, and hence do not reflect ground realities. In such a scenario, geo-referenced aerial and 3D maps, created with the help of Unmanned Aerial Vehicles (UAVs) offer a technologically advanced solution in the social science research and public policy space. UAVs can accord visibility, by feeding into GIS information, to otherwise invisibilized spaces, visualise policy performance and exclusions where applicable and aid in expediting evidence based public policy making and monitoring.As per the new draft rules, nano-drone flying below 200 ft do not need special permits, nor do they need to register with DGCA – which is a good sign for small scale operations. However, as soon as a drone will be fitted with cameras and sensors, it will need to be registered with DGCA.

However, the second implication of the DGCA guidelines is that it is difficult to scale up drone operations since flying drones above 200 ft requires battling bureaucratic permission-seeking processes. Why this impedes scalability is because drones flying above 200 ft AGL are better equipped to capture and map larger areas of land, while below that height only a limited surface area can be captured in each flight. This means foregoing use of drones for projects such as large scale land mapping to support accurate recording and digitization of land records.

Nonetheless, a clear regulatory environment to control rogue drones as well as to counter the risks of privacy and data breach associated with drones is needed. The challenge right now is to formalize the draft rules and open up the space to uncover the potential of drones.

Privacy Concerns

India does not, as yet, have a comprehensive piece of legislation dealing with data privacy or personal data protection or an established CCTV code of practice. General obligations for the collection, transfer and use of personal information have been provided for in the Information Technology Act, 2000 (IT Act). The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (Privacy Rules) framed under Section 43-A, describe reasonable security practices and procedures that companies are required to adopt. The Privacy Rules set out obligations in respect of two classes of information: "Personal Information", which includes any information that relates to a natural person, which directly or indirectly, is capable of identifying a person; and a smaller subset of Personal Information known as SPDI, which is sensitiveinformation relating to passwords, financial information, health information, sexual orientation, medical records and biometric information.

The Privacy Rules include obtaining mandatory consent and disclosure requirements for data collection, usage, processing, storage and transfer, and requirements for appointment of a grievance officer. In relation to security practices and procedures, the Privacy Rules require every company to have in place such information security practices, standards, programmes and policies which are commensurate with the information assets being protected. For this purpose, the Privacy Rules have stipulated, as a benchmark, the International Standard IS/ISO/IEC 27001 on "Information Technology -Security Techniques - Information Security Management System – Requirements".

Organizations such as Outline India which believe in collecting reliable and high-quality data from the grassroots to support policy making and monitoring and evaluation, adheres to internal data collection and privacy protocols, in compliance with the Information Technology Rules 2011, released by the Ministry of Communication and Information Technology, Government of India, which mandate making a reasonable effort to inform individuals about the objectives of data collection and seeking informed consent. These protocols can be extended to use of UAVs as well wherein individuals likely to fall under the data collected by UAVs are informed about the general timeframe and the area of aerial mapping, kinds of data collected by UAVs, de-identification processes and privacy and security protocols. Similarly, voluntary best practices for UAV Privacy, Transparency, and Accountability, developed by the National Telecommunication and Information Administration, United States Department of Commerce can serve as an important guidepost. The challenge right now is to document and standardize such practices to fully explore the promise of innovative technologies in the development and research sector.